May 20, 2011

NSS Labs Warns Of New Security Threats On Power Plants

by ssavage

Computer security research company NSS Labs has warned that it uncovered new ways hackers could sabotage power plants, oil refineries or manufacturing operations.

NSS said it shared its findings with the U.S. Computer Emergency Readiness Team and was briefing legitimate industrial facilities that are at risk but was revealing little publicly for the sake of safety.

NSS researcher Dillon Beresford said he found "multiple vulnerabilities" in Siemens programmable logic controllers (PLCs) used in plants around the world to automatically regulate temperatures, pressures, turbine speeds, robot arms and more.

"The security of these systems is not what it should be," NSS chief executive Rick Moy told AFP.

"Comments were made that it took a nation state millions of dollars and teams of people to create Stuxnet," he continued. "We don't believe that to be true; it was not that hard to create these problems."

According to NSS, Beresford discovered the attacks in less than three months with a budget of $2,000 to $3,000 dollars.

The company has shared its findings with the U.S. Department of Homeland Security and Siemens.

Beresford was due to make a presentation at the TakeDown Conference in Dallas on Wednesday, along with independent security researcher Brian Meixell.

However, the two were asked to delay their presentation.

"We were asked very nicely if we could refrain from providing that information at this time," Beresford told CNET. "I decided on my own that it would be in the best interest of security to not release the information."

NSS said in a blog post explaining the decision to postpone the security talks that "significant additional vulnerabilities in industrial control systems have been identified, responsibly disclosed and validated by affected parties".

It added: "Due to the serious physical, financial impact these issues could have on a worldwide basis, further details will be made available at the appropriate time. Legitimate owners/operators of leading SCADA PLCs may contact us for further information."